Re: CVE-2020-10938/graphicsmagick and additional upstream change

To: debian-lts@lists.debian.org, team@security.debian.org
Subject: Re: CVE-2020-10938/graphicsmagick and additional upstream change
From: "Chris Lamb" <lamby@debian.org>
Date: Mon, 30 Mar 2020 16:29:13 +0100
Message-id: <[🔎] 949ed2a9-c8eb-4d27-81e7-d2667ce39b44@www.fastmail.com>
In-reply-to: <[🔎] 20200330142635.GG22572@connexer.com>
References: <[🔎] 20200330142635.GG22572@connexer.com>

Hi Roberto,

> I am in favor of including both changes, but I am not certain about
> whether it is better to mention both in the changelog and advisories or
> whether it is better to only mention CVE-2020-10938.  I lean slightly
> toward mentioning both CVE-2020-10938 and the thread safety issue, but
> if that is not a good idea I can be easily persuaded.

Potentially "dumb" question here, but would it be a bad idea to
mention the entire background and story, viz the CVE being assigned
after the changes have been committed, etc.?

That would seem to be combine the maximum of clarity to our users with
the minimum of soul-searching & ontological debate regarding what
ought to be included or not by the security team(s).  :)


Best wishes,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-

Reply to:

Follow-Ups:
- Re: CVE-2020-10938/graphicsmagick and additional upstream change
  - From: Roberto C. Sánchez <roberto@debian.org>

References:
- CVE-2020-10938/graphicsmagick and additional upstream change
  - From: Roberto C. Sánchez <roberto@debian.org>

Prev by Date: CVE-2020-10938/graphicsmagick and additional upstream change
Next by Date: Re: CVE-2020-10938/graphicsmagick and additional upstream change
Previous by thread: CVE-2020-10938/graphicsmagick and additional upstream change
Next by thread: Re: CVE-2020-10938/graphicsmagick and additional upstream change
Index(es):
- Date
- Thread